It was supposed to be a weekend celebrating Hearthstone esports to its absolute maximum. Hundreds of Hearthstone players, aspiring pros and field-tested veterans alike, had gathered in Las Vegas for the first ever Masters Tour. On the line: prestige, $500,000 and chances for a coveted spot in the Hearthstone Grandmasters league next year. However, the event should've been all about competition got stained from day 1.

A story of chaos, lies and one of the worst apologies in recent esports history. In this article, we recap what happened, with comments from players who were at the tournament and show how it happened. We've also obtained proof that Battlefy, contrary to their own statements, was aware of this issue months before it got found its way into the spotlight, but didn't bother notifying anyone until it publicly damaged their face. At the cost of competitive Hearthstone's integrity.

The tweet and the chaos that followed

It's about 3:30 am PST on June 14th—the first day of Hearthstone's Masters Tour in Las Vegas. The almost three hundred attending players are still asleep as the tournament isn't starting for another five and a half hours. Yet, one of the most impactful events of the tournament takes place. As the participants lay snoozing in their hotel rooms, French Hearthstone player Friiz tweets out which class players had selected in Battlefy at that time.

The problem: this information shouldn't be public yet. The deck submission deadline wasn't for another few hours, and only then should everyone have access to the picked classes in the open deck format. Now the information is out in the open with everyone still having time to adapt. For people looking to bring surprise strategies, this meant all of the surprise was gone.

So how did Friiz get access to this information? Did he personally ask 297 players what class they were bringing, and did all of those players willingly share that? No, of course not. When questioned on how he was able to access this information, he explained his discovery of a backdoor into Battlefy's data.

When the class info reached the players, the venue started buzzing. With the final submission deadline mere hours away, many attendees looked over their own strategy again. Elias "Bozzzton" Sibelius decided not to change anything: "I don't think everyone saw the leak (...) since it just showed in a tweet, from my understanding. I personally did not change anything in my lineup, but already had a good lineup against the field that was displayed." Sebastian "Xixo" Bentert felt no changes were necessary for his lineup either, but he did notice the chaos when arriving at the venue: "I hadn't changed my decks because for one the distribution was very close to what I predicted and also just didn't want to submit new deck while being in a room with all 300 players. Some friends of mine saw the leak before going to the tournament area and changed their lineup."

Fran "PNC" Leimontas felt only one card change was necessary, but he too knows participants that changed the lineup more drastically: "Almost everyone changed tech cards, and I know at least 6 people who changed their decks after the leak."

When the deck submission deadline closed, the landscape had changed. In terms of classes, there hadn't been massive shifts, but shifts nonetheless. In truth, these shifts could only really be noticed by an outside party looking in at the broad numbers, IE how much a certain class is brought.

For example, if a player changes from Paladin to Warrior and another player does the opposite the change isn't noticeable, it appears as if nothing has changed despite specific lineups changing drastically. Moreover, speaking of these specifics, changes to tech cards—extremely important in Hearthstone's Specialist format—can not be noticed either.

A poor first response

Evidently, the integrity of Hearthstone's first Masters Tour event had been damaged severely. But it's hard—and would be unjustified given that none of them did anything wrong here—to blame the players, as Julien "Cydonia" Perrault notes too: "I did see a lot of people changing lists. They did so openly for the most part and I don't see anything wrong with it. The blame lies entirely with Battlefy." But despite what many Hearthstone players' own eyes were telling them, Battlefy tried to save face in a hilariously poor way.

The platform went full Orwellian and told everyone to believe what they told them to, abandoning evidence right in front of them. A day later three follow-up tweets took back those words and asserted that they "will work tirelessly over the coming weeks to ensure that this does not happen again."

As for Blizzard, they understandably let the event continue. After months of preparation and with almost three hundred competitors in the building, calling the entire event off without grasping the scope of the problem is simply unreasonable. Afterwards, Blizzard responded to InvenGlobal regarding the leak somewhat disappointingly, with a standard PR spin:

"While the Class leak was a disappointing start to the weekend, we are thrilled with the high-level of competition from all of our players and the growing community around Hearthstone Masters. (...) As soon as the Class leak was brought to our attention we worked with Battlefy to ensure it was addressed. Battlefy has assured us they are working diligently in assessing its APIs for any other system vulnerabilities to ensure this does not happen in the future."

A pretty big loophole

So how exactly was this possible? What caused class and specific deck info, supposed to be sealed shut on the website, to be out in the open?

It all has to do with Battlefy's Application Programming Interface, commonly abbreviated to API. A good analogy to explain its role is to compare it to a person sitting in a restaurant ordering food. The API's role is like a waiter's: it tells the server which information was requested by the user, and then brings it to the user's screen. But what if, through some specific ordering, Battlefy users could ask the site to bring up the exact decklists an opponent is bringing to a tournament long before that information should be public?

Well, that's exactly what Battlefy's API—a pretty bad waiter—allowed. Here's how it worked:

• Go to the Battlefy website on Google Chrome
• Search for the tournament you'd like to obtain players' deck info from
• Copy the tournament's specific code (we've used the first Hearthstone Masters Qualifier for Bucharest as an example):

• Now add that code where [CODE] is in the following link: dtmwra1jsgyb0.cloudfront.net/tournaments/[CODE]/teams
• You're presented with a long list comprised of all players in the tournament in a very chaotic page

• Copy the ID code of the player whose decks you want to scout, and add it to the end of the URL using /[Player ID]
• You're now presented with the deck codes of the player.

As of writing the article, this specific trick to obtain the decklists does not work anymore.

Months of keeping quiet while Hearthstone esports suffered

As Battlefy publicly apologized in attempt to save face—and keep Blizzard as a business partner—the community started responding. Apparently, this issue had been around for quite a while. Months, if not over a year ago, the website was informed that its API had loopholes providing anyone knowing the trick with information putting said person in a serious advantage over the competition.

When we reached out to Battlefy to comment on the situation, we asked a couple of questions. Among others, we asked how many players changed classes and tech cards shortly before the deck submission deadline, and how it compared to "the normal behaviour" their tweet referred to. We also asked for comments on the allegations by people saying that Battlefy had known about this problem for a long time and if they had filled Blizzard in on the situation at that time. Battlefy told us to wait for a blog post, and so we did.

When the blog finally went live on June 28th, it offered the expected apologies, assurances that it wouldn't happen again et cetera. But most importantly, it offered a timeline of the whole ordeal according to Battlefy:

• "Battlefy was initially notified about the issue the morning of June 14th. Internal investigation began immediately.
• The first endpoint was disclosed to Battlefy at 8:42 am PDT by the community and was closed by the Battlefy development team at 11:26 am PDT.
• A second endpoint was disclosed to Battlefy at 3:57 pm PDT by the community and was closed by the Battlefy development team at 4:52 pm PDT."

The first bullet point in the timeline is the most important one. Battlefy states that the morning of June 14th was the first time they were notified about the API leak.

But that's a lie, and we have proof.

One of the people responding to Battlefy's tweets is a tournament organizer for Shadowverse, another card game. Similarly to Hearthstone, players have to submit decks on Battlefy for a pick and ban phase. But when players can easily access each others' strategies, the tournament turns into nothing more than a fun showmatch. Below you can see a conversation this tournament organizer had with Battlefy's Support, explaining the steps necessary for circumventing the system.

As can be seen on the final screenshot, this conversation happened early April. Months before Hearthstone's Master Tour in Las Vegas took place. With an offhand "we'll look into it", the conversation ends. But no action is taken to guarantee games like Hearthstone and Shadowverse can continue to be played with competitive integrity upheld.

This is the earliest tangible proof we've been able to acquire. But it makes the messages of others, saying that they told Battlefy about this issue over a year ago, much more believable.

An honest company would publicly announce that their tournaments' integrity has been compromised and that therefore no tournaments would be held for games that require the site's pick and ban mechanics. But saving the face of the business turned out to be more important than delivering an honest competitive environment.

You'd think that, being aware of the issue for this long, Battlefy would at least inform their partners about it. It seems that they didn't do that or at least they didn't inform Blizzard. According to a response from Hearthstone esports team's when asked about knowledge of the problem, they said that they "were unaware of a potential issue with Battlefy’s API ahead of the Masters Tour Las Vegas."

Not a good look for Battlefy.

The implications

Battlefy's mistakes and lies have been damaging to competitive Hearthstone and all other esports that relied on the site for any type of pick and ban phase. Rumors have gone around that insider groups have had access to the API's backdoor for al long time, allowing them to obtain crucial info far before their opponents could. Whether or not these rumors are true hasn't been verified yet, however, and it has to be said that the vast majority of Hearthstone players uphold strong integrity values. When reaching out to players, no one was able to name anyone that has used the loophole in any Battlefy tournament.

It's an expected result though. If someone is operating from within the darker grey areas of competitive ethics, they aren't going to loudly brag about loopholes such as these merely to flex their muscles—it would risk killing the goose that lays the golden eggs.

Even with the benefit of the doubt and solely looking at the tangible evidence that has surfaced, it's clear that, through Battlefly, a monstrous amount of tournaments have been compromised. Since early April, hundreds of Masters Tours qualifiers have been held. And that's Hearthstone alone. The odds of not a single player having abused the loophole, when there's this much at stake, are stacked against Battlefy.

And now... nothing, most likely

Hearthstone players have advocated against Battlefy for years now, and this is their most powerful argument yet. In an ideal world, we would have been able to find out just how many tournaments have been compromised by the malfunctioning API of Battlefy. In an ideal world, we'd have been able to analyze in which tournaments the same players changed decks minutes before the deck submission deadline, to a deck more favorable against the then-hidden field.

But we all know that's not going to happen. While Hearthstone's esports team is listening more to players this year in terms of tweaking the competitive arena, the company is largely still as stubborn as it has ever been. In spite of many outcries, they decided to partner up with Battlefy instead of the much more appreciated Smash.gg. So it's unlikely that Blizzard will show Battlefy the door.

And it's even unlikelier Battlefy finds the exit itself.